Cross‑Site Request Forgery (CSRF) in the Nazmul Ahsan Rename Author Slug WordPress plugin allows an attacker to submit form data that is stored on the server and later executed as JavaScript when normal site users load the affected page. The vulnerability is specifically a stored XSS that can be triggered by any authenticated user or by tricking an administrator into submitting a malicious request, giving an attacker the ability to steal cookies, session tokens, or perform other client‑side attacks. The weakness stems from the absence of a proper CSRF protection token (CWE‑352).

The issue affects all releases of the Rename Author Slug plugin up to version 1.2.0. WordPress sites that have installed any of these vulnerable versions are at risk.

With a CVSS score of 7.1 the vulnerability is considered high severity. The EPSS score is reported as < 1 %, indicating a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, an attacker who can successfully perform a CSRF attack could cause stored XSS that is executed in the browsers of any visitor to the site. The attack vector is likely indirect, requiring the attacker to persuade an authenticated user or administrator to submit a specially crafted request, but no additional credentials or system privileges are needed to exploit the flaw.